Two prominent VPN services could have been hacked through malicious software updated, researchers from news website VPNpro discovered. If you were using one of them, your computer could have been completely hijacked with almost any kind of malware before you realized it.

The two VPN services, Betternet and PrivateVPN, have since fixed the flaws. But beforehand, you could have infected Betternet and PrivateVPN client software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize it was getting updates from a malicious source instead of the legitimate software-update server.

"Rather than protect their users' data, PrivateVPN and Betternet [had] overlooked a crucial security aspect that allows for malicious actors to steal that data or do even worse actions," the VPNpro report said.

The VPNpro researchers looked at 20 widely used VPN services: Betternet, CyberGhost, ExpressVPN, Hide.me, HMA (Hide My Ass), Hola VPN, Hotspot Shield, IPVanish, Ivacy, NordVPN, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, TorGuard, TunnelBear, TurboVPN, SurfShark, VyprVPN and Windscribe.

Fourteen of the VPN services had no issues. But it was possible to intercept the client-server communications of six VPN services, including Hotspot Shield and Hide.me, although neither of those two's software actually connected to VPNpro's proof-of-concept malicious server.

Four of the services' client software did connect to VPNpro's malicious server. Two of those, CyberGhost and TorGuard, did not download the malicious software update VPNpro had put there.

Betternet and PrivateVPN both did, though. The Betternet client software did not automatically install the malicious update, but prompted the user to do so. (Most users probably would click "OK" without hesitation.) The PrivateVPN client installed the update automatically.

The real-world implications

The attacks described are not purely academic or confined to a lab setting.

"Imagine you're sitting in a cafe or at the airport and connect to the free Wi-Fi," VPNpro said in its report. "You make sure to connect to a VPN before going online. Then, you get a notification on your VPN tool to install a recent update.

"Of course, you do, because it's important to keep your software up-to-date," VPNpro said, then added that doing so could install ransomware, spyware or practically any kind of malware on your computer.

You can avoid such attacks, VPNpro said, by making sure to never download any software updates from an untrusted or open Wi-Fi network. It's all too easy for pranksters and criminals to set up malicious Wi-Fi hotspots with innocuous names like "Starbucks Wi-Fi" or "AT&T Free Hotspot."

And, of course, you can avoid most malware attacks, no matter how they arrive on your computer, by running one of the best antivirus programs.